Malicious and infected files often come in different sizes, ranging from few kilobytes to several gigabytes. Antivirus analysis of large files downloaded or copied via a network often significantly impacts the computer performance and the file download speed. The downloading and copying of files via a network is usually done using system file cache, located in the operating memory of the computer. The system cache has a small size, but access of the user's processes to the data of the system cache is much faster than access to the disk data. When downloading files whose size significantly exceeds the size of the system cache, the contents of the system cache need to be flushed as the system cache is filled up. The flushing of the system cache involves an operation of copying the contents of the cache to the disk and then cleaning the system cache.
Downloading of files can also be done without the system file cache, that is, with the use of a so-called “write-through”, when data is written directly to the disk. However, during the write-through, the data is additionally duplicated into the cache. Furthermore, the downloading of files can be done using user's application cache, which performs the writing. In these cases, the downloading of files is done by writing to disk data blocks of small size (usually up to 64 kilobytes). To protect the data in event of system failure, after writing the next data block the file is closed for writing the data (for example, the input/output manager request IRP_MJ_CLEANUP), after which it is again opened for writing of data (the input/output manager request IRP_MJ_CREATE), and the next data block is written.
The frequency of flushing the system cache also depends on the application performing the file download. For example, different Internet browsers, file download managers and torrent clients have different file download technologies and, therefore, they may have different frequency of flushing the system cache to disk. Similarly, if an application does not use the system cache during the file download, but writes with small data blocks, as in the second example, the size of the data block may be different for different applications.
When copying a file of large size (such as more than 100 megabytes), the flushing of the system cache is done rather often. After each cache flushing operation, disk changes, and the majority of antivirus applications in this case will again perform an antivirus scan of the particular file or the altered portion of the file, i.e., the contents of the system cache. The antivirus scan of large files (for example, an installer may take up a volume of several gigabytes) may significantly increase the file download time and slow down the operation of the computer. Thus, the need arises to optimize the process of performing an antivirus scan for large files during downloading from a network. A similar situation also arises during file write-through, since the size of the data block being written to the file seldom exceeds 64 kilobytes.